Check Point researchers warn that criminals could turn vacuum cleaners and dishwashers from LG into equipment for espionage.
Researchers at IT security company Check Point have found a security flaw in SmartThinQ, the smart home software from South Korean consumer electronics company LG. This, they claim, could enable hackers to take over internet-connected devices such as refrigerators, ovens, dishwashers, air conditioners, dryers, and washing machines. They have outline their findings in a detailed blog post.
Dubbed ‘HomeHack’, the flaw can even take control of an in-built security camera mounted on LG’s Hom-Bot vacuum cleaner, which doubles up as a home security device. When Hom-Bot detects movement in the home, an alert is sent to the homeowner’s smartphone, who can then switch on the Hom-Bot’s camera.
“However, this camera, in the case of account takeover, would allow the attacker to spy on the victim’s home, with no way of them knowing, with all the obvious negative consequences of invasion of privacy and personal security violation,” write Check Point’s researchers.
Security flaw in login app
Researchers found the flaw residing in the login process; that is, when users sign into their accounts on the LG SmartThinQ app. Hackers would need to recompile the LG application on the client side, in order to bypass security protections.
“This enables the traffic between the appliance and the LG server to be intercepted. Then, the would-be attacker creates a fake LG account to initiate the login process,” says Check Point’s researchers.
By manipulating the login process and entering the victim’s email address instead of their own, they explain, it is possible to hack into the victim’s account and take control of all LG SmartThinQ devices owned by the user.
Check Point said the flaw highlights the potential for smart home devices to be exploited, either to spy on home owners and residents and to steal data, or to use devices as staging posts for further attacks, such as spamming, denial of service attacks (as seen with the giant Mirai botnet in 2016) or spreading malware.
The researchers urge users of LG products to download the latest software updates from the LG website.